RE-implemented starlord + vault #649
Conversation
| access_key = "{{ user_vault_s3_access_key }}" | ||
| secret_key = "{{ user_vault_s3_secret_key }}" | ||
| bucket = "{{ user_vault_s3_bucket }}" | ||
| region = "us-west-2" |
There was a problem hiding this comment.
Can we turn this into a variable too
There was a problem hiding this comment.
that's seriously hardcoded everywhere.
| @@ -0,0 +1,6 @@ | |||
| path "auth/token/create/organizations-readonly" { | |||
There was a problem hiding this comment.
Seems like these files are not currently on the host and have to be manually uploaded. Can we turn this into config map and load it into vault as a volume? (Make installation easier)
There was a problem hiding this comment.
No, you run these locally against the host.
There was a problem hiding this comment.
This if fine for now, but we'll have to automate everything after the init + unseal of the vault in order to make installation easier.
There was a problem hiding this comment.
We can't automate it unless we have the scripts modify devops-scripts repo directly itself.
| - name: RABBITMQ_USERNAME | ||
| value: "{{ rabbit_username }}" | ||
|
|
||
| container_run_opts: > |
There was a problem hiding this comment.
I don't think we need this in kuberentes. This is only used by the container_kill_start role.
group_vars/alpha-cadvisor.yml
8:container_run_opts: >
group_vars/alpha-consul.yml
12:container_run_opts: >
group_vars/alpha-deployer.yml
12:container_run_opts: >
group_vars/alpha-enterprise-sign-in.yml
24:container_run_opts: >
group_vars/alpha-node-exporter.yml
8:container_run_opts: >
group_vars/alpha-swarm-daemon.yml
7:container_run_opts: >
group_vars/alpha-swarm-manager-metrics.yml
20:container_run_opts:
group_vars/alpha-web.yml
23:container_run_opts: >
group_vars/alpha-vault.yml
9:container_run_opts: >
roles/container_kill_start/tasks/main.yml
79: {{ container_run_opts | trim }} \
roles/container_restart/tasks/main.yml
37: shell: docker run {{ docker_container_run_opts | trim }} {{ docker_image }}:{{ docker_image_version }}
roles/container_start/tasks/main.yml
59: {{ container_run_opts | trim }} \
There was a problem hiding this comment.
oh, interesting. Good to know. I had two different mixed implementations that I was trying to cobble together.
| - name: REGISTRY_ENVIRONMENT | ||
| value: "production" | ||
| - name: REGISTRY_STORAGE | ||
| value: "s3" |
| - name: REGISTRY_STORAGE_S3_BUCKET | ||
| value: "{{ registry_s3_bucket }}" | ||
| - name: REGISTRY_ENVIRONMENT | ||
| value: "production" |
There was a problem hiding this comment.
Seems like this should be the actual environment, right?
There was a problem hiding this comment.
I have no clue how this file got added... at all... must be a shitty merge of some sort?
| - name: VAULT_ENDPOINT | ||
| value: "http://{{ user_vault_host_address }}:{{ user_vault_port }}" | ||
| - name: VAULT_TOKEN | ||
| value: "{{starlord_vault_token}}" |
There was a problem hiding this comment.
Eventually we should move all of these to kuberentes secrets.
There was a problem hiding this comment.
And probably use: https://www.vaultproject.io/docs/auth/approle.html
ansible/delta-hosts/variables
Outdated
| @@ -142,9 +142,17 @@ sauron_rollbar_key=83157ae2d50d4b6398e404c0b9978d26 | |||
| aws_access_key_id=AKIAJ3RCYU6FCULAJP2Q | |||
| aws_secret_access_key=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 | |||
|
|
|||
| [starlord:vars] | |||
| starlord_vault_token=1234 | |||
There was a problem hiding this comment.
I will add this when this is approved and I deploy vault to prod
ansible/delta-hosts/variables
Outdated
| [swarm-manager:vars] | ||
| environment_name=delta | ||
|
|
||
| [user-vault:vars] | ||
| user_vault_s3_access_key=1234 |
There was a problem hiding this comment.
Vault is backed by s3, this is so we can configure it. I'm waiting on getting an access_key for prod.
| @@ -0,0 +1,52 @@ | |||
| # Configuring Vault | |||
|
|
|||
| Vault is specifically setup to be manually setup. This is not automated for a reason. | |||
There was a problem hiding this comment.
specifically setup to be manually setup? Used setup twice in one sentence
Created a user-vault and added implementation to starlord.